[dnsdist] Only answer queries for subdomain from certain IPs?

Remi Gacogne remi.gacogne at powerdns.com
Tue Jun 23 10:09:31 UTC 2020 

Hi Jason,

On 6/22/20 7:04 PM, Jason Bailey via dnsdist wrote:
> So I want to put dnsdist in front of all of my recursor and my auth
> servers and make sure that a given subdomain basically only exists when
> queried by a given IP or set of IPs. 
> 
> For example, suppose I have the subdomain my.example.com. If a client
> from my allowed list queries dnsdist for my.example.com, it passes it
> through to the recursor or auth server (whatever makes sense for that
> given circumstance) and returns the answer accordingly. If, on the other
> hand, a client that isn't on my allowed list happens to query dnsdist
> for that same subdomain, dnsdist responds to the client that the domain
> my.example.com doesn't exist and subsequently does not pass it through
> to recursor or auth.  If it's for any other subdomain
> (ftp.example.com or whatever), dnsdist should just pass it through as
> usual and let recursor or auth handle it as it would.
> 
> Can dnsdist do that effectively? If so, how would I go about it?

Yes, you would need to combine two rules to match the client source and
the requested domain, for example:

nmg = newNMG()
nmg:addMask('192.0.2.0/24')
nmg:addMask('2001:DB8::/32')
suffixes = newSuffixMatchNode()
suffixes:add("powerdns.com.")

addAction(AndRule({SuffixMatchNodeRule(suffixes),
NotRule(NetmaskGroupRule(nmg)})), RCodeAction(DNSRCode.NXDOMAIN))


That would match clients not coming from 192.0.2.0/24 or 2001:DB8::/32
and requesting a name below or at powerdns.com, sending a NXDOMAIN
answer to them.
In 1.5.0 (currently in release candidate state) we introduced the
SetNegativeAndSOAAction action [1] which would be a bit better than the
RCodeAction for that use case since it would also send back a SOA record
in the response, but RCodeAction should also be fine.
The same kind of logic can be used with PoolAction() to route queries to
an authoritative server or a recursive server depending on the requested
domain.

[1]: https://dnsdist.org/rules-actions.html?#SetNegativeAndSOAAction

Best regards,
-- 
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20200623/370d7624/attachment.sig>

More information about the dnsdist mailing list